redline | 61aa9d12ce3598966dc1514db442fe726f167b17e2b0a7ca6a30f82ebcb1f0a0

Analysis

max time kernel
142s
max time network
149s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08-07-2023 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61aa9d12ce3598966dc1514db.exe
Size

502KB
MD5

a2696885c43b65bb96cb145eca45c9fc
SHA1

8fea508ec2dee517b2ee38b835399fce6ac468d5
SHA256

61aa9d12ce3598966dc1514db442fe726f167b17e2b0a7ca6a30f82ebcb1f0a0
SHA512

8c34700b60da0da97a64a60bffdf77780dd55c243cae7f235f450177f2662fd22cce01588f382a93fe7edd269fa9fbbf59459e943bfdd453990ded97a17f6ae8
SSDEEP

12288:hqiHS+fvHaRdnQgH/6pt0UhPaVKAvwP+zsFW2d:hqiHSkvH82gat5fN+mW2d

Score

10^/10

redline furod infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

furod

77.91.68.70:19073

Attributes

auth_value
d2386245fe11799b28b4521492a5879d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
3008	x8959098.exe
2280	f6500714.exe

Loads dropped DLL 5 IoCs

pid	Process
1100	61aa9d12ce3598966dc1514db.exe
3008	x8959098.exe
3008	x8959098.exe
3008	x8959098.exe
2280	f6500714.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	61aa9d12ce3598966dc1514db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	61aa9d12ce3598966dc1514db.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x8959098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8959098.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 3008	1100	61aa9d12ce3598966dc1514db.exe	30
PID 1100 wrote to memory of 3008	1100	61aa9d12ce3598966dc1514db.exe	30
PID 1100 wrote to memory of 3008	1100	61aa9d12ce3598966dc1514db.exe	30
PID 1100 wrote to memory of 3008	1100	61aa9d12ce3598966dc1514db.exe	30
PID 1100 wrote to memory of 3008	1100	61aa9d12ce3598966dc1514db.exe	30
PID 1100 wrote to memory of 3008	1100	61aa9d12ce3598966dc1514db.exe	30
PID 1100 wrote to memory of 3008	1100	61aa9d12ce3598966dc1514db.exe	30
PID 3008 wrote to memory of 2280	3008	x8959098.exe	31
PID 3008 wrote to memory of 2280	3008	x8959098.exe	31
PID 3008 wrote to memory of 2280	3008	x8959098.exe	31
PID 3008 wrote to memory of 2280	3008	x8959098.exe	31
PID 3008 wrote to memory of 2280	3008	x8959098.exe	31
PID 3008 wrote to memory of 2280	3008	x8959098.exe	31
PID 3008 wrote to memory of 2280	3008	x8959098.exe	31

C:\Users\Admin\AppData\Local\Temp\61aa9d12ce3598966dc1514db.exe
"C:\Users\Admin\AppData\Local\Temp\61aa9d12ce3598966dc1514db.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8959098.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8959098.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f6500714.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f6500714.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8959098.exe

Filesize
318KB

MD5
ff3953a57d031e67dc493d179eada79a

SHA1
739c9bef06a6f2013e00ebb50c249217b6c419ab

SHA256
91da317526588d2da62bc875d6e4a6e71c9b5d09ecd03ebcdf2a3093b65fd5a1

SHA512
ce1a4a0b488f655a1cbf17f99e92257ad41cfeb3a62348e5354c1dd912e5797a66db0645c73b063da8c1009b4e3cbe283d640aca944d400408ca22e9d57a0e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8959098.exe

Filesize
318KB

MD5
ff3953a57d031e67dc493d179eada79a

SHA1
739c9bef06a6f2013e00ebb50c249217b6c419ab

SHA256
91da317526588d2da62bc875d6e4a6e71c9b5d09ecd03ebcdf2a3093b65fd5a1

SHA512
ce1a4a0b488f655a1cbf17f99e92257ad41cfeb3a62348e5354c1dd912e5797a66db0645c73b063da8c1009b4e3cbe283d640aca944d400408ca22e9d57a0e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f6500714.exe

Filesize
255KB

MD5
317fde5f58733468c8f7bcc5a08ea975

SHA1
eeed96149bd6ce17220608bd283e203f75d6c1f9

SHA256
51dd2af9e46324612239706ec4ba2ead07f722a3c55e18d18791af68ade2d4e7

SHA512
10638579b1dd71e555e19d42dba96e15c5c58e7766b0ffbf31ad64242df55fd03c199e325b2e9907495c73ce96619090a8af8b974f2bc84842c19bb860591f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f6500714.exe

Filesize
255KB

MD5
317fde5f58733468c8f7bcc5a08ea975

SHA1
eeed96149bd6ce17220608bd283e203f75d6c1f9

SHA256
51dd2af9e46324612239706ec4ba2ead07f722a3c55e18d18791af68ade2d4e7

SHA512
10638579b1dd71e555e19d42dba96e15c5c58e7766b0ffbf31ad64242df55fd03c199e325b2e9907495c73ce96619090a8af8b974f2bc84842c19bb860591f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f6500714.exe

Filesize
255KB

MD5
317fde5f58733468c8f7bcc5a08ea975

SHA1
eeed96149bd6ce17220608bd283e203f75d6c1f9

SHA256
51dd2af9e46324612239706ec4ba2ead07f722a3c55e18d18791af68ade2d4e7

SHA512
10638579b1dd71e555e19d42dba96e15c5c58e7766b0ffbf31ad64242df55fd03c199e325b2e9907495c73ce96619090a8af8b974f2bc84842c19bb860591f55

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8959098.exe

Filesize
318KB

MD5
ff3953a57d031e67dc493d179eada79a

SHA1
739c9bef06a6f2013e00ebb50c249217b6c419ab

SHA256
91da317526588d2da62bc875d6e4a6e71c9b5d09ecd03ebcdf2a3093b65fd5a1

SHA512
ce1a4a0b488f655a1cbf17f99e92257ad41cfeb3a62348e5354c1dd912e5797a66db0645c73b063da8c1009b4e3cbe283d640aca944d400408ca22e9d57a0e78

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8959098.exe

Filesize
318KB

MD5
ff3953a57d031e67dc493d179eada79a

SHA1
739c9bef06a6f2013e00ebb50c249217b6c419ab

SHA256
91da317526588d2da62bc875d6e4a6e71c9b5d09ecd03ebcdf2a3093b65fd5a1

SHA512
ce1a4a0b488f655a1cbf17f99e92257ad41cfeb3a62348e5354c1dd912e5797a66db0645c73b063da8c1009b4e3cbe283d640aca944d400408ca22e9d57a0e78

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f6500714.exe

Filesize
255KB

MD5
317fde5f58733468c8f7bcc5a08ea975

SHA1
eeed96149bd6ce17220608bd283e203f75d6c1f9

SHA256
51dd2af9e46324612239706ec4ba2ead07f722a3c55e18d18791af68ade2d4e7

SHA512
10638579b1dd71e555e19d42dba96e15c5c58e7766b0ffbf31ad64242df55fd03c199e325b2e9907495c73ce96619090a8af8b974f2bc84842c19bb860591f55

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f6500714.exe

Filesize
255KB

MD5
317fde5f58733468c8f7bcc5a08ea975

SHA1
eeed96149bd6ce17220608bd283e203f75d6c1f9

SHA256
51dd2af9e46324612239706ec4ba2ead07f722a3c55e18d18791af68ade2d4e7

SHA512
10638579b1dd71e555e19d42dba96e15c5c58e7766b0ffbf31ad64242df55fd03c199e325b2e9907495c73ce96619090a8af8b974f2bc84842c19bb860591f55

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\f6500714.exe

Filesize
255KB

MD5
317fde5f58733468c8f7bcc5a08ea975

SHA1
eeed96149bd6ce17220608bd283e203f75d6c1f9

SHA256
51dd2af9e46324612239706ec4ba2ead07f722a3c55e18d18791af68ade2d4e7

SHA512
10638579b1dd71e555e19d42dba96e15c5c58e7766b0ffbf31ad64242df55fd03c199e325b2e9907495c73ce96619090a8af8b974f2bc84842c19bb860591f55

Download Submit
memory/1100-54-0x0000000000220000-0x000000000028E000-memory.dmp

Filesize
440KB

Download
memory/2280-83-0x0000000000280000-0x00000000002B0000-memory.dmp

Filesize
192KB

Download
memory/2280-87-0x0000000000590000-0x0000000000596000-memory.dmp

Filesize
24KB

Download
memory/2280-88-0x00000000023C0000-0x0000000002400000-memory.dmp

Filesize
256KB

Download